red flags rule FAQ

The Red Flags Rule: What Your Dealership Needs to Know to Be in Compliance

Does your dealership have a written identity theft prevention program to comply with the Red Flags Rule?

Running an auto dealership isn’t easy, and there are countless rules and regulations owners are told they need to follow — often without much explanation. There is one regulation in place, however, that every auto dealership needs to understand and implement to be fully compliant: The Red Flags Rule.

The Red Flags Rule protects consumers and businesses from the growing risk of identity theft. It began on January 1, 2011 and is enforced by the Federal Trade Commission (FTC) and several other agencies.

Under the Red Flags Rule, certain types of businesses are required to create and implement a written identity theft prevention program to detect the “red flags” associated with identity theft in their day-to-day operations. The FTC considers red flags to be “the potential patterns, practices, or specific activities indicating the possibility of identity theft.”

Auto dealerships must follow the Red Flags Rule because of the part they play in helping customers finance their vehicle purchases.

Identity theft can cause huge problems for individuals and businesses — from damaged credit to unpaid bills to empty bank accounts — that last for years. By identifying suspicious activity, auto dealerships can hopefully prevent incidents of identity theft from happening and avoid the trouble that these criminals can cause.

Red Flags Rule: Compliance–a four-step process

Though following the Red Flags Rule is non-negotiable for auto dealers, how your dealership interprets the rule is slightly flexible. There is an understanding that certain red flags will not be the same for every business, or even every dealership, so it is up to the individual organization to identify those. Dealerships are judged on the overall effectiveness of their program, not on the specific execution.

Step 1: Identify the red flags relevant to your dealership

Under FTC recommendations, there are 26 different types of red flags a business may encounter; they are categorized under five larger umbrellas:

Alerts, notifications, and warnings from a credit reporting company – fraud or active duty alert on a credit report, notice of credit freeze

Suspicious documents – identification looking altered or forged, information on identification differs from what the person is telling you

Personal identifying information – inconsistencies in information, a Social Security number that has already been used by someone else, a fake address

Account activity – does not generally apply to auto dealerships

Notice from other sources – someone reaches out to tell you an account has been opened or used fraudulently.

Determine risk factors within your dealership, possible sources of red flags, and which specific suspicious activity your team should be looking for regularly.

Step 2: Detecting the red flags

Aside from using common sense and a sharp eye to detect red flags, think about if there are any other ways your dealership can approach compliance. For example, using identity verification methods can be helpful — this could be asking for several different types of identification, and then comparing all of that information to what you receive on a lead’s credit report.

Step 3: How to respond when there is a red flag

In addition to identifying red flags and teaching your team to detect them, you need to decide what happens when those red flags are found. For auto dealerships, some appropriate responses may include contacting the customer, refusing to sell him the vehicle, or notifying law enforcement agencies.

Step 4: Keep the program up-to-date

As identity thieves change their methods and the technology to catch them improves, you’ll need to update your own identity theft prevention program. Make it a priority to review your program annually, and do so even sooner in the event of regulatory changes.

Writing your own Red Flags Rule program and putting it into action

All of the steps mentioned above need to be documented in writing and pulled together into a written document. The person charged with administering the program should report to senior management at least once a year with a written assessment to evaluate the program’s effectiveness. Any suspicious activity that gets addressed throughout the year should be documented and kept on file for a designated amount of time.

Be smart and hire someone who handles all of your dealership’s compliance. It’s better to be prepared and doing business correctly, than to suffer the fines and consequences for being non-compliant.

For your auto dealership to be compliant, you must have a well-thought-out, written identity theft prevention plan created and implemented. The specifics of the plan are more so up to you to determine, but as long as the plan works and you are able to prevent identity theft, your dealership should be in compliance with the Red Flags Rule and ready to do business.